Description:
Nikhil Komawar from Rackspace reported an information leak in Glance logs. The password for the store backend is logged at WARNING level as part of the URL when authentication to the requested store fails. An attacker with access to the logs (local shell, log aggregation system access, or accidental leak) may leverage this vulnerability to elevate privileges and gain direct full access to the Glance store backend. Only Glance setups using the store backend are affected.
----

An user can upload an image to glance with a --location swift-url, using his own swift account. Maybe the leak is not the default swift store present in /etc/glance/glance-api.conf but the user account.

Also it is not clear what can make the authentication request to fail. Is it a connection problem, or when the user change his password ?

The case when I saw this was: when the call was happening while a user token was being used to get image data for an image that is publicized using the export task functionality. (The code is not upstream yet). However, the user does not have the right context to use that image.

Haven't had a chance to explore more permutations of invalid context for the user when this line would be logged. In any case, I believe that we should remove logging such sensitive info from the code.

Nikhil: Right, if the intent was to report the issue in private then any fixes should have been attached as patches directly to the bug instead of submitting to public code review. Ultimately it's up to the discretion of the bug reporter as to whether we observe an embargo period on the report and discuss the vulnerability and fixes in private, or whether it is reported/fixed in public.

This patch removes logging of sensitive store location uri, which
is logged when an exception occurs while trying to get the object
from the store or due to a failure in getting the store api due to
unauthorized context.

Here's an updated impact description incorporating Thierry's suggestion from comment #7 along with our recently revised format and my guess above about affected versions. I'll go ahead and request a CVE on the oss-security for this if nobody objects.

Description:
Nikhil Komawar from Rackspace reported an information leak in Glance logs. The password for the Swift store backend is logged at WARNING level as part of the URL when authentication to the requested store fails. An attacker with access to the logs (local shell, log aggregation system access, or accidental leak) may leverage this vulnerability to elevate privileges and gain direct full access to the Glance Swift store backend. Only Glance setups using the Swift store backend are affected.

There are two flavours of Swift store: Single Tenant and Multi Tenant. Typically in the case of Multi Tenant no credentials are stored in the location field. If set_image_location is disabled by policy then there is no credentials leak for Multi Tenant mode. I wonder if something like the following should be considered:

"Only Glance setups which use the Swift store are affected. In the case of a Multi Tenant Swift "
"store where 'set_image_location' is disabled by policy there is no vulnerability. In the case of a Single Tenant "
"Swift store backend an attacker with access to the logs (local shell, log aggregation system access, "
"or accidental leak) may potentially leverage this vulnerability to elevate privileges and gain "
"full direct access to the Glance Swift store backend. In the case of both Single and Multi Tenant Swift "
"store backends where the set_image_location policy is not disabled, an attacker with access "
"to the logs may potentially access any credentials contained in locations which have "
"been explicitly set by any user. "

I concede to not being familiar enough with Swift's various deployment models, but do worry about getting overly specific about identifying affected configurations. The goal is to provide enough detail that the lowest-common-denominator operator/sysadmin can determine whether they should upgrade/apply the patch, without getting into the weeds and without being so verbose that they stop reading (which usually happens after the first few sentences). How about...

Description:
Nikhil Komawar from Rackspace reported an information leak in Glance logs. The password for the Swift store backend is logged at WARNING level as part of the URL when authentication to a store fails if image location is not disabled by policy or the store is a single-tenant configuration. An attacker with access to the logs (local shell, log aggregation system access, or accidental leak) may leverage this vulnerability to elevate privileges and gain direct full access to the Glance Swift store backend. Only Glance setups using the Swift store backend are affected.

This patch removes logging of sensitive store location uri, which
is logged when an exception occurs while trying to get the object
from the store or due to a failure in getting the store api due to
unauthorized context.